More on LinuxToday

From: EnGarde Secure Linux <security@guardiandigital.com>
Subject: [ESA-20010530-01] gnupg format string vulnerability
Date: Wed, 30 May 2001 14:54:59 -0400 (EDT)
+------------------------------------------------------------------------+
| EnGarde Secure Linux Security Advisory May 30, 2001 |
| http://www.engardelinux.org/ ESA-20010530-01 |
| |
| Package: gnupg |
| Summary: There is a format string vulnerability in the gnupg package. |
+------------------------------------------------------------------------+
EnGarde Secure Linux is a secure distribution of Linux that features
improved access control, host and network intrusion detection, Web
based secure remote management, complete e-commerce using AllCommerce,
and integrated open source security tools.
OVERVIEW
--------
There is a format string vulnerability in gnupg which can allow an
attacker to exploit a victim by sending them a malicious encrypted
message. The attack takes place when the victim attempts to decrypt
this message.
DETAIL
------
From the original advisory disclosing the bug:
"The problem code lies in util/ttyio.c in the 'do_get' function.
There is a call to a function called 'tty_printf' (which eventually
results in a vfprintf call) without a constant format string:
> tty_printf( prompt );
If gpg attempts to decrypt a file whose filename does not end in
'.gpg', that filename (minus the extension) is copied to the prompt
string, allowing a user-suppliable format string."
An exploit does exist and all users are urged to upgrade to the latest
version (1.0.6) immediately.
SOLUTION
--------
All users should upgrade to the most recent version, as outlined in
this advisory. All updates can be found at:
ftp://ftp.engardelinux.org/pub/engarde/stable/updates/http://ftp.engardelinux.org/pub/engarde/stable/updates/
Before upgrading the package, the machine must either:
a) be booted into a "standard" kernel; or
b) have LIDS disabled.
To disable LIDS, execute the command:
# /sbin/lidsadm -S -- -LIDS_GLOBAL
To install the updated package, execute the command:
# rpm -Uvh <filename>
To re-enable LIDS (if it was disabled), execute the command:
# /sbin/lidsadm -S -- +LIDS_GLOBAL
To verify the signature of the updated packages, execute the command:
# rpm -Kv <filename>
UPDATED PACKAGES
----------------
Source Packages:
SRPMS/gnupg-1.0.6-1.0.3.src.rpm
MD5 Sum: 1f8f3ab71d5b4c271f4dd1b246b0e191
Binary Packages:
i386/gnupg-1.0.6-1.0.3.i386.rpm
MD5 Sum: 62558d3d186cc6724ace14fab4b119e9
i686/gnupg-1.0.6-1.0.3.i686.rpm
MD5 Sum: 74feaca3f74deda14d78b04daa9b0319
REFERENCES
----------
Guardian Digital's public key:
http://ftp.engardelinux.org/pub/engarde/ENGARDE-GPG-KEY
Credit for the discovery of this bug goes to:
fish stiqz
gnupg's Official Web Site:
http://www.gnupg.org/
The original advisory disclosing the vulnerability:
http://www.linuxsecurity.com/articles/cryptography_article-3083.html
Author: Ryan W. Maple,
Copyright 2001, Guardian Digital, Inc.

Please enable Javascript in your browser, before you post the comment! Now Javascript is disabled.